Design of an Instrumented Security System and

integration to a DCS PCS 7 modules using

MODBUS TCP / IP
Antonio Francisco Soto-Cervantes Roger Jesus Coaquira-Castillo
Escuela Profesional de Ingeniería Electrónica Escuela Profesional de Ingeniería Electrónica
Universidad Nacional de San Antonio Abad del Cusco Universidad Nacional de San Antonio Abad del Cusco
Cusco, Perú Cusco, Perú
[email protected] [email protected]

Abstract—One of the main problems of industrial processes II. WATER PUMPING SYSTEM
is security. A Safety Instrumented System (SIS) allows the
control and security of an industrial process to be carried out A. Water pump kits
automatically. This work presents a compilation of norms and In the Professional School of Electronic Engineering of the
standards related to industrial safety. This information was used National University of San Antonio Abad del Cusco
to design the safety instrumented system. With the objective of (UNSAAC) there is a system for pumping water between
knowing the process, a mathematical modeling was carried out,
reservoirs as shown in Figure 1, this system has a control
which contributed in knowing more the most important process
variables and also in recognizing some process variables that
system based on PLC, whose mode of operation is only
were not taken into account so far. This was also very helpful manual and not automated.
when automating the system since control logic and philosophies The most important equipment of the water pumping
were based on the process variables studied so far. The Safety system are: one Schneider Electric PLC TM221, one
Instrumented System was developed based on the general Schneider Electric 7”HMI model STU885, two pumps, with 1
requirements obtained from the standards previously studied. hp three fase electric motors, two VFD’s, ATV320 to control
These requirements were induced to the process of pumping
the pumps., an ultrasonic level sensor,a temperature
water between reservoirs giving rise to that the integral levels of
transmitter based on a RTD sensor, two ON-OFF valves with
safety SIL were determined. Next, the control system and the
security system were integrated into the DCS Siemens PCS 7
solenoids as action mechanisms.
module, which allowed to concentrate all the process data of the
process on a historical server. Finally, the safety functions
implemented were validated through theoretical checks based
on SIL verifications and experimental tests that allowed us to
know the robustness of the system implemented when facing
hazards

Keywords—Safety instrumented, DCS, Safety integrity level,

Industrial communication protocols.

I. INTRODUCTION (HEADING 1)
Safety Instrumented Systems (SIS) are one of the most
commonly used methods of reducing the risks associated with
major accident hazards in the process and other sectors. They
can be found in various systems such as emergency shut
down, oil and gas and machinery protection. A single SIS
normally provides protection against a single hazard, and this Fig. 1. Water pumping system between reservoirs
poses a dilemma for designers when they are trying to fulfil
the overall requirements for reducing risk. [1] Initially, this system did not have an instrumented safety
SIMATIC PCS 7, as a distinctly open system, can be system, so the management and safety of the process are
subject to the supervision of the human operator and the safety
flexibly adapted to a wide range of customer needs. The
characteristics of the equipment implemented in the pumping
system software provides the project engineer with a great
module. However, these security measures are not sufficient
deal of freedom in terms of project configuration, as well as in because it is the undergraduate students of the professional
the design of the program and visualization. [2] school who interact the most with the aforementioned module,
First of all the problem of the system that will be described so the safety of its operation must be guaranteed at all times.
later on this document, did not have a safety system B. Automation of the pumping system
implemented, so the safety on the operation was related to the
The control system must meet the following
operator completely. The operators were usually students
specifications:
from the university, therefore the safety were not ensured.
Also it was a need that all the system need to be supervised • Ensure the correct operation of the water transfer process
and controlled from the DCS module located near to the between reservoirs.
process in order to ensure reliability on the procedures and
• Facilitate decision-making by process operators.
control in the overall system.

978-1-7281-9377-9/20/$31.00 ©2020 IEEE

Authorized licensed use limited to: Carleton University. Downloaded on November 01,2020 at 16:08:19 UTC from IEEE Xplore. Restrictions apply.
 • Offer appropriate supervision and control to the process. • A data log was made in the PLC of the level data until it
reached the steady state value (28 cm). This data was
• Provide the ability to detect alarms. exported to MATLAB from the Microsoft Excel tables
• Execute all the regulatory and discreet control functions created by the data-log.
required by the process. • In the MATLAB the transfer function was graphed with
1) Transfer of water to reservoir B and simulation of the same conditions.
consumption by manual actuation of the LV3 valve
The water contained in reservoir A (Figure 1) is transferred
to reservoir B through the transport pipeline together with the
feed pump P-1. In reservoir B, consumption is simulated by
operating the manual valve located at the bottom of the
reservoir B. The level of the reservoir B is controlled
automatically or manually as needed by establishing a
reference level of water in the reservoir B. The pressure in the
transfer pipeline will be controlled manually by the criteria of
the process operator .

Fig. 4. Graphical representation of the obtaining of the curves to find the

parameters of the PID regulator according to Ziegler-Nichols

From fig. 4 it is observed that L = 4.5 and T = 46.5, with

these values the constants Kp = 10 and Ti = 15 were obtained
[3].
III. REQUIREMENTS AND TECHNICAL SPECIFICATIONS
CONCERNING THE SAFETY OF THE PROCESS

A. Objectives of the IEC 61508 standard

• Cover the aspects and characteristics that have to be
considered when the E / E / EPS are used to form systems
Fig. 2. Graphical representation of the process variables in Reservoir B. that perform security functions. As a consequence of this
objective, the development and implementation of E / E /
2) Transfer of water from reservoir B to reservoir C due EPS should be facilitated in industrial sectors where there
to excessive accumulation of water are no similar standards.
If the water level in reservoir B exceeds the programmed • Standardize security-oriented systems when such systems
limits, the auxiliary discharge pumping system will be incorporate E / E / EPS. Being a general standard, some
activated in such a way that the excess water is transferred to requirements can be waived, these requirements are
reservoir C. detailed in the same standard. The HUMAN factor is not
taken into account in this standard.
3) PI Controller
• Use the model based on the security life cycle to achieve
For the tuning of the PID loop that regulates the level loop, an optimal approach with the activities necessary to
the Ziegler-Nichols open loop method was chosen because the achieve functional security.
open loop transfer function was found in the previous chapter.
However, in order to apply it in this chapter, we need to check • Provide general requirements for safety related E / E / EPS
that the mathematical model describes what happens in reality in industrial sectors where there is still no defined
when it is experienced in the process. standard.
B. Security life cycle
It is the engineering process in which all the procedures to
achieve functional safety are included. It should be borne in
mind that, although the ISA 84.01 standard has similar
objectives as the IEC 61508, the security life cycle described
in ISA 84.01 is different from that of the following figure,
nevertheless these converge in their functions.
Fig. 3. Block diagram corresponding to the level control in reservoir B.
C. Integral safety levels (SIL)
For this experiment the following considerations were They are conceptualized as the magnitude of the level of
taken: risk reduction. In the IEC 61508 standard there are 4 specific
levels. SIL 1 being the lowest level of risk reduction and SIL
• The level in reservoir B was established at 22 cm. 4 the highest.
• The LV-3 valve (bottom valve at Figure 2) was opened and
the P-1 pump started at 27.5 Hz.

Authorized licensed use limited to: Carleton University. Downloaded on November 01,2020 at 16:08:19 UTC from IEEE Xplore. Restrictions apply.
TABLE I. COMPREHENSIVE DEMAND-BASED SECURITY LEVELS [4] C. Implementation of security functions
Probability of failure on The equipment lists to be used for the implementation of
Safety Integrity
Level
demand, average (low demand
mode of operation)
Risk Reduction Factor the SIF security functions are detailed below.
SIL 4 >=10-5 to <10-4 100000 to 10000
SIL 3 >=10-4 to <10-3 10000 to 1000 TABLE V. IMPLEMENTATION OF THE SECURITY FUNCTION OF THE
SIL 2 >=10-3 to <10-2 1000 to 100 LEVEL CONTROL NODE.
SIL 1 >=10-2 to <10-1 100 to 10
Sensor Logical Controller Actuator
Specific
Level transmitter PLC Relay + Contactor
equipment
IV. TESTS AND RESULTS SIEMENS OMRON MK 2PI
Model SITRANS LH100 S7 400 CPU 410 5H + SCHNEIDER
Level Transmitter LC1E09
A. HAZOP Analysis It will record the Will execute safety
De-energize liquid
level in reservoir logics to mitigate
Comments feed pump to
B and send data to consequences of
TABLE II. HAZOP ANALYSIS OF THE WATER PUMPING SYSTEM the PLC respective hazards
reservoir B

N Deviat Causes Consequenc Control Signali Action Comments

o ion es response ng s to TABLE VI. IMPLEMENTATION OF THE SAFETY FUNCTION OF THE
d take PRESSURE CONTROL NODE.
e
1 High Autom Damage to PLC will HMI Imple There is a Sensor Logical Controller Actuator
0 level atic nearby turn off alarm ment programmab Specific Pressure Variable speed
PLC
0 control equipment. P1 pump SIS le logic equipment transmitter drive
failure Damage to and turn protection NCS-PT105 II
SCHNEIDER
Poor facilities and on system, Model Profibus S7 400 CPU 410 5H
ALTIVAR 320
manua personnel exhaust however it is Transmitter
l system considered It will measure the
Will execute safety
operati insufficient pressure in the Will perform a
logics to mitigate
on Comments discharge line and quick stop on the
consequences of
2 High LV1 Pipe rupture Operator PI1 Imple The current send data to the pump
respective hazards
0 pressur valve with damage identifies pressur ment protection PLC
0 e failure to equipment high e SIS system is
and pressure gauge basic and
personnel and turns could fail Thus, the SIF is proposed as shown in Fig. 5.
Instrumentat off
ion damage control
near the loop and
node P1 pump

3 Abnor Condit Damage to Stop of Drive Show No other

0 mal ions on the all actions display values layer of
0 current abnor equipment by the indicat Instant protection is
mal P1 involved drive. ing SCAD required. (*)
and P2 Drive abnor A
pumps safeties mal
activated behavi
or.

B. SIL determination

TABLE III. ANALYSIS RESULTS FOR SIL DETERMINATION AT NODE

100
Probabilit
Probabilit
y of
y of
Consequen Exposure occurrenc
Parameter avoiding Result
ce frequency e of
dangerous
dangerou
event
s event
Choice C2 F2 P1 W1 SIL 1 Fig. 5. P&ID including the implemented security functions (drawn in red).
Due to
The The It is the According to the arithmetic formulas used for determination
dangerous personnel possible safeties
event could involved is that due to program of reached SIL after SIS implementation [5]. It was ensured
cause in the carelessne med in theoretically that the SIL reached was of SIL 2. All the data
Commenta accidents to surroundin ss of the the PLC
ry personnel gs of the staff or it is very needed like the dangerous undetected failure rates were
due to wet process failure of unlikely extracted from SILSafeData website [6].
facilities when it is the BPCS that the
and in the event negative
equipment. operation may occur event will D. Network architecture for the integration of the control
occur and security system to DCS PCS7
Regarding the network architecture, the system was
TABLE IV. ANALYSIS RESULTS FOR SIL DETERMINATION AT NODE
200 integrated using different industrial network protocols defined
by the equipment used. However, the importance of the
Number of
Param
Severity Eventuality protection Result Modbus TCP / IP and Profinet protocols must be highlighted
eter
layers due to the number of variables that these protocols use to be
Choice Less Mean 1 SIL 1
From experience The protection layer can This number sent between devices and the robustness they offer to
using the module, it mitigate the consequences was guarantee success when sending data. The following figure
Comm is known that the of this risk, however, by determined
entary LV1 solenoid valve not having digital in the defines the DCS network architecture and the control system.
tends to block over supervision, it has more previous
time. possibilities of failure item

Authorized licensed use limited to: Carleton University. Downloaded on November 01,2020 at 16:08:19 UTC from IEEE Xplore. Restrictions apply.
 The histories of all system variables have also been
integrated into the independent HISTORIAN data system of
PCS 7, now all data is available for further temporal
processing.

Fig. 8. Reports in the form of trends obtained from the INFORMATION

SERVER application for the acquisition of archived data on the
HISTORIAN server

V. CONCLUSIONS
On this paper it is resumed the design and implementation
Fig. 6. Network diagram of the system in general.
of a SAFETY INSTRUMENTED SYSTEM, implemented
The addresses that identify each team according to the for a water pump system located on a laboratory of the
protocol are detailed in Table VII. university. The main reason for this implementation is
because the operators of the process mentioned before are
TABLE VII. IMPLEMENTATION OF THE SAFETY FUNCTION OF THE students of the professional school. Therefore the safety
PRESSURE CONTROL NODE. system will provide security on the operation of the overall
system and ensure that the equipment and personal will be
EQUIPMENT ADDRESS IP COMMENTARY
CP1623: 192.168.10.7
The engineering / operation station has safe all the time.
ES/OS SERVER Intel 210:
two network cards, the first for the
plant bus and the second for the
Also a integration of the control and safety systems to a
192.168.10.102
terminal bus. PCS 7 DCS module, so all the data from the process (safety
HISTORIAN SERVER 192.168.10.3
The first address is used for and control) are now available from the DCS for treatment
SIEMENS S7-400 CPU
410 5H
Plant bus: 192.168.11.10
Field bus: 192.168.10.10
communication with field equipment
and the second with servers and
and supervision. This integrations was made possible by the
terminals implementation of a MODBUS TCP/IP network on the
SCHNEIDER M221 192.168.11.12 -
ET200M Profinet 192.168.11.14 -
system. Now all the data is being gathered and stored to a
HMI 192.168.11.9 - specialized server PROCESS HISTORIAN so all the data can
be acceded after. All the process value are also available for
TABLE VIII. COMPUTERS WITH DIFFERENT CONNECTIVITY. supervision in the SCADA system of the DCS (Siemens
Equipment Protocol / Address Commentary WINCC), therefore the operators can operate the process
NCS105PTII Pressure
Profibus/3
The master of this device is the from this SCADA system also.
Transmitter-MicroCyber S7-400 PLC
The master of this device is the
Variator ATV 320 Nro 1 Modbus RTU/10
M221 PLC
The master of this device is the ACKNOWLEDGMENT
Variator ATV 320 Nro 1 Modbus RTU/11
M221 PLC
The authors thank the Professional School of Electronic
After configuring communications, both control systems Engineering UNSAAC, for allowing us to use the Industrial
(security and control) can be supervised from DCS PCS 7. Automation laboratory, where this study was conducted.
Figure 7 shows the SCADA supervision application built on
WINCC 7.3, a window was also created that focuses on the REFERENCES
reservoir B.
[1] C.R. Timms, ”ACHIEVING ALARP WITH SAFETY
INSTRUMENTED SYSTEMS” , United Kingdom.
[2] SIEMENS AG, “Process Control System PCS 7 Compendium Part A -
Configuration Guidelines (V8.1)”, Nuremberg, Germany, December-
2014.
[3] Ogata K, “Ingenieria de control moderna”, Quinta Edicion, Pearson
Education , Madrid – España, 2010.
[4] EXIDA (2006). IEC 61508 Overview Report. [Figure]. Recuperado de
https://www.win.tue.nl/~mvdbrand/courses/sse/1213/iec61508_overvi
ew.pdf.
[5] Abbamonte B, Landrini G, Vande T, “SAFETY INSTRUMENTED
SYSTEMS”, 4th Edition, GMI Technology for Safety, Italy, 2017
Fig. 7. SCADA screen for monitoring the process of pumping water [6] EXIDA, FAILURE RATES FOR PROCESS INDUSTRY
between reservoirs. APPLICATIONS, 2020. [Online]. Available: silsafedata.com

Authorized licensed use limited to: Carleton University. Downloaded on November 01,2020 at 16:08:19 UTC from IEEE Xplore. Restrictions apply.